The offending code, highlighted by Micalizzi, is a simple loop that copies the entire URL into a fixed-sized buffer while scanning for '%' escape codes. By smashing through the end of this buffer, the attacker can arbitrarily overwrite the program's memory and its stack to gain control of the processor.

If only they had implemented ASLR for memory protections like a certain other PDF reader.

Whoa! With barely a couple of weeks to spare.... I stopped using Foxit and switched to Windows 8 Reader (it reads PDFs natively).

Not that I'd open a salted PDF from a .ru domain anyway. Whose link mysteriously appeared in my mailbox overnight, sent from a spoofed SMTP address, by a display name I don't recognize. Geeze. Exploiting folks is easy, isn't it? Almost no effort needs to go into owning someone's PC.

So I'll just say Use Local Update Publisher from http://sourceforge.net/projects/localupdatepubl/to inject them into your WSUS server and simplify the distribution of these updates. If you're doing it some other way, you're doing it the hard way (possible exception of using SCCM ....)

It's bad enough I have to have it installed on my client PC's. But it also is used for Java APPLETS, so it's gotta be accessible in IE.

And now you're telling me I gotta go play somewhere else. Woe is me.

I run a Java-less system and quite frankly the only time when I'd need the POS installed is when I go to nVidia for drivers. Easier for me to find an alternate method of getting drivers than having to deal with Java. Of course, I've always hated Java, even when it wasn't such a security liability.

It's bad enough I have to have it installed on my client PC's. But it also is used for Java APPLETS, so it's gotta be accessible in IE.

And now you're telling me I gotta go play somewhere else. Woe is me.

I run a Java-less system and quite frankly the only time when I'd need the POS installed is when I go to nVidia for drivers. Easier for me to find an alternate method of getting drivers than having to deal with Java. Of course, I've always hated Java, even when it wasn't such a security liability.

Since when does downloading drivers from nVidia require Java? Do you use the "automatic detection" method or something?

Unless it has changed recently, in order to choose from a pool of gfx cards, etc, you had to use Java. I haven't been to their site in some time, but I doubt they've changed anything. Most people do have Java installed, so...

Edit: I stand corrected. One more reason not to have the POS installed. NVidia doesn't require Java to look for particular drivers any longer. Yay!

Those of you who need to, may now get to patching Acrobat & Reader...Patches are available for versions 9 and higher on Windows, Linux, and Mac. Interestingly, the 10.0.1.6 patch is floppy sized at 1.27MB.

So we don't need to through it again, the patches released today are not quarterly, so if you're behind on patching version 10 you should check this page out for the correct patching sequence so you don't have too many headaches when the next quarterly patch is released.Check here for the sequence for version 9.Both have links to the downloads you'll need. In my case, I'll need to push one quarterly before this OoC (Out of Cycle) update for version 10.We have a handful of legacy boxes that have 9 though, so I'll just add this to the ungodly daisy chain of patches for Acrobat 9*.

Doesn't seem to be a page like those for version 11 (XI) yet, but there's only 2 (both OoC) patches for that, and I'm sure they'll get around to explaining how the patching works with it at some point.

*In case anyone is curious about, that check the spoiler to see what you have to chain together to patch Acrobat 9 from it's out of box state to current spec.

Thankfully that got fixed in 10 so you can just apply the latest quarterly than any OoC patches.

But alas, Adobe still doesn't update their ESD sources to the latest quarterly. You have to start from whatever version got stamped onto the CD/DVD for mastering. Man, I haven't felt the Adobe hate like this since... wait. It was a week ago when they dropped their regular update for Flash five days after the prior hurried patch.

Tried to install Adobe Reader 11.0.2 on mom's computer yesterday. Ran installer as admin, naturally. Chose 'do not automatically update'. Result? Install failed with a 'could not install updater service' error, and when that happened it rolled back the entire installation. 11.0.1 installed just fine, so this was definitely a bug in their installer.

I'm not jumping to update to the very latest versions... because there will be zero day exploits for them by tomorrow anyway. And on and on and on. How long could this possibly go on before users stop giving Adobe any more money?!

Does anyone else think the Adobe network breach has something to do with blackhats discovering all these vulnerabilities? Adobe said their source code was secure, but really?

Well, it's gone on long enough for you to need 15 patches to get Acrobat 9 up to date form out of the box, and I've lost count with Flash, so I'd have to say several years, at least.

The PDF format is too entrenched with no realistic replacement out there, and people keep using flash for entirely too many things because it'll play on damn near anything and it's easy to produce, and again, there's no overall replacement yet that will run on nearly anything. HTML5 can do many things, but it's not everywhere yet, and the tools to produce it with little or no training aren't there yet either.

With Adobe doing so little to endear themselves to anybody but people looking for things to exploit, I don't think they'll ever get off some people's shit lists. It seems like it's a competitive sport finding exploits in their stuff lately.

As for updating or not, I'll update so at least I'm not open to all the old exploits and the new ones, just the new and unpatched ones (theoretically at least). Having to roll back OoC patches before applying quarterly ones is really annoying though.

Still, not as bad as Oracle opening holes in Java when trying to patch others. It's bad when you make Flash look good by comparison.

*In case anyone is curious about, that check the spoiler to see what you have to chain together to patch Acrobat 9 from it's out of box state to current spec.

At least on the PC you can chain all the .msps together into a single msiexec.exe call and run it from a batch file.

I never did figure out how to do something similar on the Mac side. That was RSI-inducing all by itself. But that was in a previous life now.

Never got that to work here, even with renaming the msp files so you don't bust the 255 character limit, which happens if you leave the file names as is.But I just use a batch file and add a line for the latest patch. Takes an obscene length of time on an old XP box but it's not nearly as bad with just 40-50 of those vs the 1800+ of just over a year ago.

/update [paths] are the paths to the MSPs/passive means all the user sees is a progress bar/promptrestart means after installation, ask to restart instead of automatically doing it.

You can fully patch Acrobat 8/9 in less than three minutes from the original releases with this method. Should this be necessary? No, which is why I'm glad it got fixed in 10/11.

As for Flash... Not sure what you mean. The latest version of Flash updates any previous version.

I was planning to give it another go with Acrobat 9, but that method hasn't worked for us in the past. We never use /passive as TPTB don't want to show installs happening, ever, if it's at all possible to avoid. Same thing for reboot prompts, which we suppress.

As for 3 minutes to patch 9, maybe on a current spec machine with an SSD, but on an Optiplex 745 or Latitude D630? 3 minutes per patch, maybe if there's a tailwind. We do enable logging though, which I know adds time to the process. Even with /log instead of /l*v it's slow on those machines. If I have time I'll try it on a test machine without any logging at all. Would be nice if the log was just "Installed Successfully" unless something went wrong, but it just isn't.

Also, we're doing this through SCCM 2007 R2, which could explain the difference.

I agree that the cumulative patching in 10/11 is a very good thing though. Still has the same install sequence silliness, but 2 patches beats the hell out 15 patches.

Regarding Flash, it's the never ending chain of updates that's annoying. We have however run into instances where a machine has a broken install of an earlier version (using the MSI) and subsequent versions can't remove it because it can't find the older MSI, even if it's there. Using the exe installer works on these machines, but not the MSI. The earlier version of Flash works, you just can't remove it. It's faster to just use the MSI installer than dig through the registry to manually fix it, so I just exclude the machines with the problem and send them the exe version instead. And no, we don't let it auto update. I would prefer we did, but I don't make those calls.

Yeah, I know. The machines with 9 are legacy XP boxes that have apps that don't work on windows 7 and we're not interested in a) running those apps in a VM or trying to sequence them in AppV, or b) upgrading them to Acrobat 10, as we'd then have to package and push am updated DMS client, which just isn't happening.